CQC to launch security review after losing personal data

Certificates relate to people who have applied to be “registered managers” and could include information about previous criminal convictions

CQC alerted breach to Information Commissioner’s Office

The Care Quality Commission is to launch an independent review of its security arrangements after losing sensitive personal data.

The documents potentially include information about people’s previous criminal convictions and cautions.

David Behan

David Behan apologised to people whose data may have been lost

Up to 500 disclosure and barring service certificates have been lost after a locked filing cabinet was wrongly marked for removal and destruction during a refurbishment of the regulator’s Newcastle office earlier this month.

The certificates include information about people who had applied to become “registered managers and providers”. The forms include their full name, date and place of birth, name of employer and position applied for, and in some cases could include information about previous criminal convictions and cautions.

A registered manager is responsible for ensuring providers of health and adult social care meet expected standards of quality and safety across their services. There are around 386,800 in England. The data security breach mainly relates to the adult social care sector.

In a statement the CQC said as soon as it became aware of the breach it carried out a “thorough and comprehensive investigation”. It has written to those affected and has reported the incident to the Disclosure and Barring Service Authority, the Department of Health and the Information Commissioner’s Office.

The CQC believes the records have all been destroyed but was unable to confirm this definitively.

David Behan, the CQC’s chief executive, said: “I would like to apologise to the individuals whose DBS certificates have been lost… and for any distress this may cause. I deeply regret that this has happened.

“I intend to commission an independent, external review of CQC’s security arrangements in case wider lessons can be learned and so that we can be confident that something like this does not happen again.”

The incident affects people who applied to become registered managers and providers between July 2015 and March 2016.

In April the CQC moved to an online system, which has removed the need for paper copies to be retained.